[dmarc-ietf] Re: Failure Reports, section 2, reporting frequency
Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 03 July 2025 18:08 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@mail2.ietf.org
Delivered-To: dmarc@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A20533DA89BE for <dmarc@mail2.ietf.org>; Thu, 3 Jul 2025 11:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZ49PnJvNnyt for <dmarc@mail2.ietf.org>; Thu, 3 Jul 2025 11:08:51 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F3DDC3DA89A6 for <dmarc@ietf.org>; Thu, 3 Jul 2025 11:08:50 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-b31f0ef5f7aso91431a12.3 for <dmarc@ietf.org>; Thu, 03 Jul 2025 11:08:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751566130; x=1752170930; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2KoY4S8Yjr8/bquVONSZ+xIC2gCU2IZNHskdOFkjHro=; b=VN8lH8oG11I8nVFU7wd0nQJ3ZcqbFBx8nqZj/pWS2bcIt7T5zQRr8IQPCoZyi75am4 uzFlRoOsZsiGc4+ldRmKZulZHK2E4gAgsDO3Sgs0UtABv3TxYfwcT5rLvo52aDokZcnR 2TAcx5u/PmYOW5WYOG2uRjP4fLW7xdAK+kli7T4fuTSrg+9ImeBhnwpKUmMTv+G+6iZo amR9vfQzmsUVGof+dCBZtE9xwUnxieQ8XucHH11k2LLPWrm0jHkFIEjXlYqpFzbY6qXv R+NySCO787mHWh/GJ2Tt+Iy3KrWXNojBmVb04Dv33vmjiGezOXogkVUejtBP6wNwoQch B69g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751566130; x=1752170930; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2KoY4S8Yjr8/bquVONSZ+xIC2gCU2IZNHskdOFkjHro=; b=vwP6a8sVDQjYpwwMaEd8apavht9IUuQ1hOmQwyBeE0UnyCsuZ0O4a2geVmySqtOrK2 muf6PNwnni2PXVDq24ToaQxY9QOKW2WL/ARgKn4ByWYI6ee8gRnNOnR3ssGTXZvGl7ez YoFalU8RK5IW/Qat+7q3MHjazWY5RFBd5SLAHsEBgdQCAm3FdWHFb2y+BodGGBboEQo9 FEHMDMEpBgvXxDTrIk02b4X5CjhcUf0nGWxRV6xnlETO679W04NDCz6tVigblBvwJdzO QAY8V4EK/y+58ITU9pwIbIpKDVlLMkWjT4WutklHKbf9zxiu979YxajZAlTRu6FwMSuV lYMg==
X-Gm-Message-State: AOJu0YwcL1UieGQ4MFU/o3+GipjxnHPeqKrFVqPN62wMvgLpYuXN8rYZ qTnmCte33c2famYfj4y2nsIoZ13s9F6FixlqVe6e3E8Hz4wKZXO3o96eEUq0K45RFiLWuixSqDX P0lwAkzZON9FcwJg8uWy9zZFf7EoSfih5pA==
X-Gm-Gg: ASbGnctc+GatP9N8msRhkdaEABZO3wLBV0LlmfYhqr9addtod+Bg26/WW18beq3uKsx /gm60ly3HjXZ+wo4FZwp+ptUepSsO94OZFB5CstkndVQzaj9o6YvM1xK8KyjAG55mP/34X4o8Dq 9HMR/IjA0x0zb7+R4axcordfcfc1Cq3roQWehqxvKMB46QyGYy4PI8sPbIXd2XnUuPGOFuQcA=
X-Google-Smtp-Source: AGHT+IHmQgOl3kOdnHi3XDtGpUxuvaX7LQxAOy6NlvTknJg6mblQvgxe9HUSu5YCp3/WomhGtoA7KxYP3dUMJ1eO14k=
X-Received: by 2002:a17:90b:4ac1:b0:311:ffe8:20e2 with SMTP id 98e67ed59e1d1-31a90b0e413mr11675919a91.4.1751566129991; Thu, 03 Jul 2025 11:08:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfzbqWsL4tyKe_s_VxqkrJHmVF4UK2qC39zp0v4pavENSQ@mail.gmail.com> <CAJ4XoYc26s_xh-HWzYLpR1T2Yn49pKkTXoD-8=bnot8pd_JaEA@mail.gmail.com>
In-Reply-To: <CAJ4XoYc26s_xh-HWzYLpR1T2Yn49pKkTXoD-8=bnot8pd_JaEA@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 03 Jul 2025 14:08:41 -0400
X-Gm-Features: Ac12FXz1D7SbrSyCqIWGE7TghQJ-IpqAPKit3y2w3uau377Z_fY6a5fsIjVeN2U
Message-ID: <CAH48ZfyZamHf_V_Fph0eDTwN-_HDa5TKDC2XGre4JdNBBOBwsw@mail.gmail.com>
To: Dotzero <dotzero@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000fa95a006390a448b"
Message-ID-Hash: GTQMYE6AK5RCSLHTKBJGF7JLHK66N2VI
X-Message-ID-Hash: GTQMYE6AK5RCSLHTKBJGF7JLHK66N2VI
X-MailFrom: dougfoster.emailstandards@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF DMARC WG <dmarc@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Failure Reports, section 2, reporting frequency
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/q8kHjlpCkH8l1UYj62fe4TbjtBg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>
I thought I was adding precision to the vague generalities in the draft. I am all for anti-abuse. I agree that the primary benefit of failure reporting is anti-abuse. Others are correct in saying that there are other ways to solve most DKIM problems. For smaller players, the hope is that the failure report recipient organization will be a bigger entity with better options for fighting abusers. If anti-abuse requires essentially every incident to trigger a report, then the document should be clear that such is the intended norm. In that case, any lesser volume is merely deference to the reality that mail senders will only do what they are willing. If we aggregate at all, including the local-part in the grouping rule will defeat the attempt to aggrehate. Too many addresses have encoding that creates uniqueness or near uniqueness, even when the nominal mailbox recurs. IP drives the investigation to a specific machine (or organization exit path) and SMTP domain drives the investigation to a specific administrative context on the source server or source organization. Overall, any higher level of aggregation loses context, and any lower level of aggregation becomes too granular. Leaving things for the developer to guess about aggregation strategies seems like a terrible idea. Being able to to assess whether aggregated reports from different sources are about similar or different problems seemed important to me. If every incident gets a report, then maybe the issue is less important because the full message parse will give the answer eventually. Doug On Thu, Jul 3, 2025, 8:45 AM Dotzero <dotzero@gmail.com> wrote: > > > On Thu, Jul 3, 2025 at 7:50 AM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> I believe the reporting strategy needs to be defined in more detail than >> provided in section 2, because we need to ensure that report volumes are >> manageable for both sender and receiver, and to ensure that receivers can >> make sense of multiple reports from multiple sources. Leaving this issue >> to the imagination of each implementer will cause interoperability problems. >> >> . I propose the following: >> >> Reporting Frequency >> "The aim of failure reporting is not to count each and every failure, but >> rather to report different failure conditions." These design >> considerations apply to this goal: >> >> A failure condition is defined as a unique combination of RFC5322.From >> Domain, RFC5321.MailFrom domain, and source IP address. This corresponds >> to the three parameters of the SPF alignment test. It also provides enough >> granularity so that separate problems are likely to be reported >> separately. This approach also helps a report receiver classify whether >> reports from different receivers represent different conditions or multiple >> information sources about a single condition. >> >> Failure reports need to be repeated periodically, to ensure that the >> receiver has sufficient information to solve the problem, to ensure that >> failure conditions are not overlooked, and to provide clarity about whether >> a condition is resolved or not. However, excessive reporting will hinder >> efforts to solve known problems, and may cause report senders or report >> recipients to cease participation in failure reporting. >> >> Some failure conditions will represent crises that require a prompt >> response, some failure conditions will involve complexity that takes time >> to resolve, and some failure conditions will be unsolvable. The reporting >> frequency needs to correspond to these situations. >> >> Given these considerations, the following guidelines are provided: >> >> New failure conditions should be reported promptly. The initial report >> will generally represent a single message, but may represent multiple >> messages if a cluster of messages are received together. >> >> After the initial report is sent, no more reports are sent until the end >> of a time interval. The time interval is gradually increased so that the >> volume of reports on a single condition declines. >> >> The following reporting intervals are recommended: >> After the initial report, send additional reports at hourly intervals if >> additional failures occur. >> After the first day, send additional reports at daily intervals if >> additional failures occur. >> After two weeks, send additional reports at weekly intervals until the >> problem is resolved or the administrator concludes that further reporting >> is not useful. >> >> Doug Foster >> > > I'm going to have to think about this. What you propose limits the amount > of information to the report recipient. I'm a security/anti-abuse person. > The number of reports in an abuse situation gives me information about > scale and scope of an attack. Is it targeting one receiver domain or > multiple ones and at what scale? An attacker can also switch up the URLs > contained in the emails even though the failure "types" may look the same. > The useful information is in parsing the individual reports. > > My next concern is the additional burden you are placing on report > providers. At the moment there is absolutely no running code at all which > supports what you are proposing. Looking at the recharter I would take the > position that such changed (expanded) requirements are beyond the scope of > what we are charged with doing. > > I'm also not sure that your proposed changes are necessary. Your focus > appears to be on validation/delivery issues from a legitimate sender rather > than abuse. In that case, for each report received by a sending domain, > they have sent an outbound email to the reporting domain. If they have the > resources to send that outbound email they should have the resources to > receive the failure reports. Even in the case where they are overwhelmed > with failure reports resulting from abuse, they can always send those > reports straight to /dev/null as needed. I always recommend having a > separate host or pool of hosts for reports to avoid potentially impacting > regular inbound mail flows. > > As I wrote at the beginning of the post, I will have to think on this. > > Michael Hammer >
- [dmarc-ietf] Failure Reports, section 2, reportin… Douglas Foster
- [dmarc-ietf] Re: Failure Reports, section 2, repo… Dotzero
- [dmarc-ietf] Re: Failure Reports, section 2, repo… Alessandro Vesely
- [dmarc-ietf] Re: Failure Reports, section 2, repo… Douglas Foster